1. Field of the Invention
The invention relates to an enterprise management system for use in transporting application data between application devices over a network. More specifically, the present invention provides a method and system for securely managing an application device across a network.
2. Background of the Invention
Modern computer connectivity owes much to the increasing importance and cost of computers during the 1960s and 70s. Researchers questioned how two or more computers could be connected and their resources shared between users located at remote and different geographical points. Because the bandwidth needs of these dispersed users were intermittent—that is, short periods of high activity were interspersed between longer periods of little or no activity—researchers began developing the idea of a packet-switching methodology as an alternative to the relatively inefficient circuit-switching methodology of telephone circuits. During the 1970s, the foundation of modern networking was laid by the development of an architecture for connecting various networks together, embodied in the earliest forms of Transmission Control Protocol (TCP). The three key Internet protocols—TCP, Internet Protocol (IP), and User Datagram Protocol (UDP)—were conceived during this period.
The next two decades saw prolific growth in the number of networks, at least partly because of the Department of Defense's (DoD) and universities' efforts to interconnect their networks. Email and file transfer became more important to the communication of research and development among scholars. As interest in access to supercomputers became heightened, networks were developed to allow access to supercomputing centers.
The 1990s saw the most prolific growth in networking as the previous focus on scholarly and military use of networks turned instead to commercial use and the World Wide Web. Researchers made significant advances in routers and other routing technology. These developments have culminated in an increased presence of networks in all aspects of life, including such areas as financial transactions (e.g., automated teller machines and credit card verification systems), military and government applications (e.g., maintenance and control of power grids), and entertainment (e.g., video on demand).
The development of methods and systems for securely transferring data through these networks, however, has been largely out-paced by the development of the networks and the sophistication of the application devices themselves. This has left many application devices—the actual devices, whether software or hardware, that use the information delivered through the network—vulnerable to compromised network requests (integrity), counterfeited network requests (authenticity), or unauthorized network requests (authorization). In other words, information moving through a network to an application device could be tampered with while in transit, could be faked, or could be sent from a source not authorized to make such a request. Moreover, the transferred information might be replicated and then used elsewhere, raising confidentiality concerns. These risks are very real and occur on a daily basis, amounting to hundreds of millions of dollars in yearly fraud losses.
Present methods for securely transferring data between application devices address these integrity, authenticity, authorization, and confidentiality components 1) do not adequately combine these elements to provide a secure, comprehensive network-centric capability for management of these components, and 2) are narrow in scope to an application-specific implementation. For example, encryption has long been used to keep information confidential during transport. Federal Information Processing Standards (FIPS) Publication (PUB) 198 specifies an algorithm for applications requiring message authentication using a symmetric-based keyed message authentication code (HMAC). The HMAC is used to authenticate both the source of a message and its integrity, but does not address authorization or confidentiality, and does not provide controls provable to a third party.
Similarly, digital signatures, such as those defined in FIPS PUB 186, may be used to authenticate a message, but do not provide confidentiality or provable data integrity without some other element, such as a trusted time stamp (e.g., American National Standard X9.95-2005 Trusted Time Stamp, developed by Accredited Standards Committee X9, Inc.). By combing a trusted time stamp with a digital signature, thereby removing the time stamp from the control of the content provider, a digitally signed message cannot be back-dated without such back-dating being detected.
Current network management protocols, such as Simple Network Management Protocol (SNMP), may provide some low level security and rudimentary network management capability, but are not sufficiently sophisticated to provide the necessary security management combined with flexible application device management capability. Thus, a need exists for a method of utilizing cryptographic elements—namely, encryption, authenticity, and data integrity—to yield true non-repudiation, meaning that these cryptographic elements are all provable to a third party. The prior art fails to provide this secure, comprehensive, network-centric capability for localized or remote management of Information Assurance Components that includes such things as application devices, cryptographic devices, application subsystems, cryptographic subsystems and other network appliances used by commercial industry and the government.